Vendor Risk Management Insights

Using Threat Intelligence to Manage Third Party Risk: The Boy Who Cried Wolf

More and more enterprises are increasing their budgets for threat intelligence in order to stay on top of the latest security risks. The dramatic increase in third party cyber security risk seems to make it another area where threat intelligence can be applied. But is threat intelligence actually a good fit for your third-party risk management program?

Are You Using Risk Management Software the Right Way?

According to ESG, 72% of enterprise organizations plan to increase spending on their threat intelligence programs over the next 12 to 18 months.[i] This represents considerable resources focused on threat intelligence.

A Few Flaws in Only Using a Threat Intelligence Approach

While there is no doubt that threat intelligence plays an important role in identifying and assessing your organization’s vulnerabilities, experience has shown that using the data provided by threat intelligence to manage third party risk has a few flaws:

It doesn’t scaleUsing threat intelligence to measure your organization’s vulnerabilities requires experienced people who can separate the signal from the noise. Someone must evaluate each alert and identify the false positives, as false positives can account for 5 to 10 times the number of legitimate vulnerabilities identified. While this approach may be manageable when looking at your own attack surface area, it doesn’t scale when trying to identify risk across hundreds, thousands, or tens of thousands of vendors. By its nature, threat intel is not accurate enough to build automated and actionable risk assessments that allow you to confidently engage third parties with a reasonable level of resources.

It’s only a secondary measure How about those alerts that may be accurate (not false positives)? Well, even if they are accurate, they may not be meaningful. Threat intelligence often measures potential threats (leaked credentials, dark web chatter, etc.) rather than actionable gaps. And, you cannot directly manage every detail in the security programs of every vendor.

It’s often helpful only for larger vendors One of your large vendors is likely a target of bad actors. What about the 80% of your vendors that are small or medium-sized and generally not targeted? Does this mean if they score well on threat intelligence that they have strong security practices, or just that no one has tried breaching them yet?

It’s easy to see that incorporating threat intelligence into your third party risk management program could create a “boy who cried wolf” scenario, throwing up alerts on threats that aren’t real and consuming significant resources – yours and your suppliers. What’s the alternative?

Call Out Real Third Party Cyber Security Risks: Directly Measure Attack Surface Area

Threat intelligence certainly has a place in third party risk management if implemented appropriately. If your vendor frequently experiences data loss events or privacy breaches, that is a legitimate concern. However, we recommend implementing primary measures that look directly at the attack surface areas of the vendor: its internet-accessible assets.

It’s a primary measure These measures capture the current vulnerabilities within your vendors’ infrastructure that are most likely to be targeted by bad actors. Soft targets may not be the subject of chatter, but they certainly will be found by cybercriminals.

It’s consistent with your existing practices Many measurements of attack surface area – for example, patching, web, app, and email security, etc. – map directly to your existing assessment questionnaire. Accordingly, these measures are straightforward enough for analysts to understand and incorporate into their existing work product.

It’s beneficial for vendors of any sizeWhile all vendors are not showing up as targets today in the dark web, they all have infrastructure on the internet that can be evaluated for good security practices. With the increasing number of targeted small and medium businesses, it’s important to know if they have strong security practices in place.

Managing third party risk requires continuous monitoring; however, threat intelligence typically isn’t accurate enough to be built cost-effectively into your third party risk management process. Several Fortune 500 companies control their third party risk with continuous monitoring by RiskRecon.